{ "id": "5ceba9a4-4948-4751-ac36-c5cf06c8009a", "created_at": "2026-04-06T00:12:06.846668Z", "updated_at": "2026-04-10T03:29:40.187502Z", "deleted_at": null, "sha1_hash": "5f590eb62908f89341524cd7d0d86ed7706513bf", "title": "ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65584, "plain_text": "ESXi-Targeting Ransomware: The Threats That Are After Your\r\nVirtual Machines (Part 1)\r\nBy Giovanni Vigna, Oleg Boyarchuk\r\nPublished: 2022-09-28 · Archived: 2026-04-05 16:28:27 UTC\r\nIntroduction\r\nIn recent months, we have observed in our telemetry an increase in ransomware that targets ESXi servers.\r\nSince virtualization is the foundation of any large-scale deployment of computing and storage resources, it is not\r\nsurprising that ransomware actors have now expanded their targets to include virtualization servers: with a single\r\nattack it is possible to shut down entire data centers and affect virtualized storage that is shared among workloads,\r\nwith devastating effects.\r\nIn the following, we provide a comprehensive overview of the families of ransomware that target ESXi servers.\r\nBabuk\r\nThe ransomware called Babuk appeared in the beginning of 2021. Babuk’s builder, which leaked to the public\r\nlater that year, was used to generate Windows and Linux executables, and it included the VMware ESXi encryptor.\r\nThe full source code of this ransomware was published by the author on one of the hacker forums later that year.\r\nThe only parameter the ESXi encryptor expects during execution is the path to the target directory. It scans the\r\ndirectory for the presence of files with .log, .vmdk, .vmem, .vswp and .vmsn extensions. Once it finds them, it\r\nencrypts them with the stream cipher Sosemanuk.\r\nBabuk drops a text file “How To Restore Your Files.txt” with a ransom note in every folder containing encrypted\r\nfiles. Interestingly, Babuk does not shut down the ESXi virtual machines before encrypting their files. This may\r\ncause file corruption or lead to the inability to decrypt files.\r\nIOCs:\r\n4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af (Builder)\r\nDc90560d7198bf824b65ba2cfbe403d84d38113f41a1aa2f37f8d827fd9e0ceb (ESXi encryptor)\r\nAvosLocker\r\nAvosLocker, specifically targeting Windows machines, was discovered in 2021. One year later, in the beginning of\r\n2022, its Linux variant, targeting VMware ESXi instances, was discovered. As for many other ransomware\r\nfamilies, AvosLocker’s selling model is Ransomware-as-a-Service (RaaS).\r\nIf the target directory for the ESXi encryptor is /vmfs/volumes, then the tool searches only for files with .log,\r\n.vmdk, .vmem, .vswp, .vmsn extensions. Otherwise, it recursively encrypts all files in the given directory. Before\r\nhttps://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nPage 1 of 7\n\nthe file encryption starts, AvosLocker shuts down the ESXi virtual machines using the esxcli command-line utility.\r\nAvosLocker uses a combination of the stream cipher Salsa20 and RSA. When the encryption is completed, it\r\nappends the .avoslinux or .avos2 extension to the filename. At the end, it drops a text file\r\n“README_FOR_RESTORE”, which contains a ransom note.\r\nIOCs:\r\n0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6\r\nBlackCat\r\nBlackCat, also known as ALPHV is the first widely known ransomware written in the Rust programming\r\nlanguage. Its appearance in late 2021 was highlighted by the ability to target many platforms, including VMware\r\nESXi. BlackCat operates under the Ransomware-as-a-Service (RaaS) model.\r\nLike many other ransomware families, for encryption BlackCat has chosen a combination of the stream cipher\r\nSalsa20 and RSA. Before starting the encryption, BlackCat shuts down the virtual machines with the esxcli\r\ncommand-line utility.\r\nThe tool targets files with all extensions. The extension that the ransomware adds to the names of the encrypted\r\nfiles looks like a random combination of alphabetic characters and digits and it is always specific to the system.\r\nExamples of the extensions are .dkrpx75 , .kh1ftzx, and .wpzlbji. After encryption, the tool drops a text file\r\n“RECOVER- XXXXXXX -FILES.txt” with a ransom note (“XXXXXXX” is the extension added to encrypted\r\nfiles).\r\nIOCs:\r\n3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1\r\nHive\r\nThe Hive ransomware group, working under the RaaS model, was discovered in June 2021. Four months later, in\r\nOctober 2021, the first variant targeting VMware ESXi, written in Golang, was observed. According to ESET, the\r\nsample couldn’t run properly. Following the BlackCat’s trend, around March 2022, the authors of Hive ported\r\ntheir product to the Rust programming language.\r\nIOCs:\r\n6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0\r\n2e52494e776be6433c89d5853f02b536f7da56e94bbe86ae4cc782f85bed2c4b\r\nLuna\r\nThe Luna ransomware appeared in July 2022. Unlike its competitors, this threat targeted VMware ESXi instances\r\nfrom the day it started operating. The Luna threat actors chose the cross-platform programming language Rust to\r\ndevelop its ransomware components. Similar to other ransomware threats, Luna operates as RaaS.\r\nhttps://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nPage 2 of 7\n\nThe ESXi encryptor targets all folders and files except for the set of those that can be found only on Windows:\r\nOpenServer, Windows, Program Files, Recycle.Bin, ProgramData, AppData, All Users; .ini, .dll, .exe, .lnk. For\r\nfile encryption the ransomware uses a combination of X25519 and AES. Unlike most of the competitors, Luna\r\ndoes not shut down the virtual machines, which may lead to file corruption or inability to decrypt the encrypted\r\nfiles.\r\nWhen the file is encrypted, Luna appends the .Luna extension to the file’s name and then creates a text file\r\n“readme-Luna.txt” with a ransom note.\r\nIOCs:\r\n1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51\r\nREvil\r\nREvil (aka Sodinokibi) is one of the most notorious ransomware gangs. It was formed in 2019 and since then\r\noperated following the RaaS model. In June 2021 the ransomware started targeting VMware ESXi instances. The\r\nalleged authors were arrested by the Russian authorities in January 2022, but as of today (September 2022) the\r\ngang is still believed to be active.\r\nREvil’s ESXi encryptor can be executed without parameters. It will then immediately start encrypting all files in\r\nthe current directory. Before encrypting the files, the tool tries to shut down the virtual machines with the esxcli\r\ncommand-line utility. When the files are encrypted, it appends a specific extension to the file’s name, e.g., .rhkrc,\r\n.qoxaq, .naixq. In the folder, where the encrypted files are locates, it also drops the “XXXXX-readme.txt” file\r\nwith a ransom note (the XXXX string is replaced with the chosen random extension).\r\nIOCs:\r\nea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4\r\nHelloKitty\r\nThe HelloKitty ransomware emerged in late 2020. Unlike most families, which operate under the Ransomware as\r\na Service (RaaS) model, HelloKitty is used exclusively by the gang ViceSociety, who targets companies using\r\nhuman-operated double-extortion campaigns. In July 2021 an encryptor that targeted explicitly VMware ESXi\r\nsystems was discovered.\r\nThe target path must be given to the ESXi encryptor as a parameter during execution. Before the file encryption\r\nstarts, the tool tries to shut down the virtual machines with the esxcli command-line utility.\r\nFor file encryption the tool uses a combination of the symmetric key encryption cipher AES and the public key\r\nencryption cipher RSA. After the file is encrypted, HelloKitty appends the .crypt extension to the file’s name and\r\nthen drops a “\u003cfile_name\u003e.tmp.README_TO_RESTORE” with a ransom note in the same folder where the file\r\nresides.\r\nIOCs:\r\n8f3db63f70fad912a3d5994e80ad9a6d1db6c38d119b38bc04890dfba4c4a2b2\r\nhttps://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nPage 3 of 7\n\nBlack Basta\r\nThe first samples of the Black Basta ransomware date back to February 2022. Five months later, in June 2022, the\r\ngang released a new encryptor targeting VMware ESXi. The ransomware operates following the RaaS model.\r\nBeing executed without parameters, the ESXi encryptor starts encrypting all files in the /vmfs/volumes folder,\r\nwhere the files of the ESXi virtual machines reside.\r\nThe encryptor uses a combination of the stream cipher ChaCha20 and RSA. After encryption, the tool adds the\r\n.basta extension to the encrypted file and then drops a “readme.txt” text file with a ransom note. Unlike most of\r\nthe ESXi encryptors, Black Basta does not shut down the virtual machines prior to encryption, which may lead to\r\nfile corruption and inability to decrypt the encrypted files.\r\nIOCs:\r\n0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef\r\nDarkSide/BlackMatter\r\nThe actors behind DarkSide initially distributed REvil ransomware but grew tired of sharing the profits with the\r\nREvil ransomware-as-a-service (RaaS) operator, so decided to create their own ransomware. The DarkSide\r\nransomware has been used to target a wide variety of organizations across North America and Europe.\r\nMost famously, the U.S. fuel distribution company, Colonial Pipeline, was held ransom by DarkSide, dramatically\r\naffecting gasoline distribution on the East Coast. DarkSide initially targeted Windows hosts but quickly evolved to\r\ninclude Linux targets— and in particular, those running on ESXi servers. These servers are usually targeted after\r\nthe threat actors gain access to a VMware vCenter deployment, often by means of stolen credentials.\r\nThe DarkSide ransomware uses the ChaCha20 and RSA cyphers for encryption, and adds a “.darkside” extension\r\nto the files, eventually dropping a ransom note named “darkside_readme.txt”.\r\nBlackMatter is considered an evolution of the DarkSide ransomware.34 Interestingly, the actors behind\r\nBlackMatter made sure to publicly announce that they were not targeting specific verticals, such as healthcare, oil\r\nand gas, government, and critical infrastructure companies— possibly following the backlash that the Colonial\r\nPipeline attack created, and the unwanted attention that the DarkSide operators received.\r\nIOCs:\r\n984ce69083f2865ce90b48569291982e786980aeef83345953276adfcbbeece8\r\n9cc3c217e3790f3247a0c0d3d18d6917701571a8526159e942d0fffb848acffb\r\nc93e6237abf041bc2530ccb510dd016ef1cc6847d43bf023351dce2a96fdc33b\r\nda3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5\r\nDefray777/RansomEXX\r\nDefray777 is a Linux-based, command-line driven ransomware that employs traditional methods for enumerating\r\nfolders and files on a system and then encrypts them using hardcoded encryption keys. Typically, this malware\r\nhttps://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nPage 4 of 7\n\nrequires a set of command line arguments that specify the folder in which the ransomware should start its\r\nencryption.\r\nThe malware then enumerates through all folders and files in the specified directory, targeting files names that do\r\nnot contain the encrypted extension nor file names that match the ransom note filename. Finally, the ransom note\r\nis created and written on the filesystem.\r\nAnalysis of the code within the Defray777 malware suggests that it is an evolution of the RansomEXX\r\nransomware threat. This is based partially on the similarities of hardcoded data but also very similar programming\r\nstyles.\r\nIOCs:\r\ncb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849\r\nGwisinLocker\r\nGwisinLocker, a ransomware targeting companies exclusively in South Korea, was discovered in July 2022. It\r\nsupports both Windows and Linux systems. The latter variant is targeting also the VMware ESXi systems.\r\nBeing executed without parameters, the ESXi encryptor starts encrypting all files in the system. It has the ability\r\nto shut down the virtual machines. This feature is not active by default.\r\nGwisinLocker combines the symmetric cipher AES and RSA. After the file is encrypted, it adds the extension,\r\nwhich consists out of random characters, to the file’s name and then creates another file with the same name and\r\n“0” (zero character) appended, where it stores the encrypted AES key for the encrypted file. Afterwards, it creates\r\nthe “!!!_HOW_TO_UNLOCK_XXXXX_FILES_!!!.TXT” text file with a ransom note, where XXXXX is the\r\nappended extension.\r\nIOCs:\r\n7594bf1d87d35b489545e283ef1785bb2e04637cc1ff1aca9b666dde70528e2b\r\nCheerscrypt\r\nThe Cheerscrypt ransomware was discovered in May 2022. The code of Cheerscrypt showed many similarities\r\nwith the code of Babuk, specifically its ESXi encryptor. It’s no surprise that the authors of Cheerscrypt took the\r\nBabuk’s C code as the basis for their project.\r\nOne of the key differences from Babuk is that, prior to file encryption, Cheerscrypt shuts down the virtual\r\nmachines with help of the esxcli command-line utility.\r\nFor file encryption, Cheerscrypt uses a combination of the stream cipher Sosemanuk and ECDH, similar to what\r\nBabuk does. After encryption, the tool appends the .Cheers extension to the file’s name and then drops the text file\r\n“How To Restore Your Files.txt” with a ransom note.\r\nIOCs:\r\nUnavailable at the time of writing.\r\nhttps://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nPage 5 of 7\n\nRedAlert\r\nThe RedAlert ransomware, targeting VMware ESXi, was discovered in July 2022. Unlike its competitors, it can\r\nbe configured using a number of parameters. For example, -w parameter can be used to stop all running virtual\r\nmachines with the help of the esxcli command-line utility while -r can be used to enable the recursive encryption\r\nmode.\r\nOne interesting feature of the encryptor, which differentiates it from the other ransomware samples, is that it\r\nrequires root privileges. Before any encryption attempt it tries to drop a configuration file to the root directory and\r\nfails to do so when running under the privileges of a normal user.\r\nThe encryptor is targeting files with .log, .vmdk, .vmem, .vswp, .vmsn extensions only. For encryption, it uses a\r\ncombination of AES and, the public key cryptosystem NTRUEncrypt, which is unusual. After the file is\r\nencrypted, it adds the .crypt[number] extension to the file’s name and then drops the “HOW_TO_RESTORE” text\r\nfile with a ransom note.\r\nIOCs:\r\n039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09\r\nLockbit\r\nLockbit became one of the most prolific ransomware families known today. Discovered in 2019, it operates under\r\nthe RaaS model. Its VMware ESXi encryptor component is one of the oldest, and was discovered back in October\r\n2021.\r\nThe tool is able to shut down virtual machines by executing the esxcli command-line utility, and it uses a\r\ncombination of AES and ECC (Curve25519) for encryption. This ransomware tool appends the .lockbit extension\r\nto the file’s name and then drops a text file with a ransom note.\r\nIOCs:\r\nf3a1576837ed56bcf79ff486aadf36e78d624853e9409ec1823a6f46fd0143ea\r\nConti\r\nThe Conti ransomware appeared in December 2019. Like many other ransomware families, it operates following\r\nthe RaaS model. In March 2022, the source code of the Windows version of the ransomware and the builder, as\r\nwell as the gang members’ chats were leaked, exposing their conversation about plans to build an ESXi encryptor.\r\nOne month later, in April 2022, the ESXi encryptor was discovered.\r\nThe ESXi encryptor requires the target directory to be specified. All files in that directory will be encrypted. The\r\ntool is also able shut down virtual machines prior encryption with help of the esxcli command-line utility.\r\nFor file encryption the tool uses a combination of the stream cipher Salsa20 and RSA. After encryption, it appends\r\nthe .conti extension to the filenames and then drops the text file readme.txt with a ransom note.\r\nhttps://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nPage 6 of 7\n\nIOCs:\r\n95776f31cbcac08eb3f3e9235d07513a6d7a6bf9f1b7f3d400b2cf0afdb088a7\r\nConclusions\r\nRansomware can be a devastating threat. ESXi-targeting ransomware can cause infrastructure-level damage that\r\nrequire substantial resources for recovery and mitigation. Therefore, it is important to understand this type of\r\nthreat, and create countermeasure to prevent the compromise of ESXi hosts.\r\nVMware provides a collection of resources to protect your infrastructure against ransomware.\r\nIn addition, VMware’s NSX Advanced Threat Protection delivers the broadest set of threat detection capabilities\r\nthat span network IDS/IPS and behavior-based network traffic analysis.\r\nThis also includes VMware NSX Sandbox, a network sandbox offering based on a full-system emulation\r\ntechnology that has visibility into every malware action. VMware NSX is purpose-built to protect data center\r\ntraffic with the industry’s highest fidelity insights into advanced threats.\r\nSource: https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nhttps://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html" ], "report_names": [ "esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434326, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f590eb62908f89341524cd7d0d86ed7706513bf.pdf", "text": "https://archive.orkl.eu/5f590eb62908f89341524cd7d0d86ed7706513bf.txt", "img": "https://archive.orkl.eu/5f590eb62908f89341524cd7d0d86ed7706513bf.jpg" } }